feat(auth): add option to disable built-in login when using OIDC (#1908)

* feat(auth): disable built-in login by config

* cleanup config

* fix(web): prevent login form flash by waiting for OIDC config

* refactor(config): standardize OIDC TOML format

- Adds camelCase TOML tags to OIDC config struct while keeping mapstructure tags for backward compatibility
- Updates config template to use camelCase format

* refactor: kyles changes

* refactor: prefix disablebuiltinlogin with oidc

* docs: revert format change

---------

Co-authored-by: ze0s <43699394+zze0s@users.noreply.github.com>

README.md

@@ -317,7 +317,7 @@ If you are not running a reverse proxy change `host` in the `config.toml` to `0.
 The following environment variables can be used:
 
 | Variable                               | Description                                              | Default                                  |
-|-------------------------------------|--------------------------------------|------------------------------------------|
+| -------------------------------------- | -------------------------------------------------------- | ---------------------------------------- |
 | `AUTOBRR__HOST`                        | Listen address                                           | `127.0.0.1`                              |
 | `AUTOBRR__PORT`                        | Listen port                                              | `7474`                                   |
 | `AUTOBRR__BASE_URL`                    | Base URL for reverse proxy                               | `/`                                      |
@@ -341,6 +341,7 @@ The following environment variables can be used:
 | `AUTOBRR__OIDC_CLIENT_ID`              | OIDC client ID                                           | -                                        |
 | `AUTOBRR__OIDC_CLIENT_SECRET`          | OIDC client secret                                       | -                                        |
 | `AUTOBRR__OIDC_REDIRECT_URL`           | OIDC callback URL                                        | `https://baseurl/api/auth/oidc/callback` |
+| `AUTOBRR__OIDC_DISABLE_BUILT_IN_LOGIN` | Disable login form (only works when using external auth) | `false`                                  |
 | `AUTOBRR__METRICS_ENABLED`             | Enable Metrics server                                    | `false`                                  |
 | `AUTOBRR__METRICS_HOST`                | Metrics listen address                                   | `127.0.0.1`                              |
 | `AUTOBRR__METRICS_PORT`                | Metrics listen port                                      | `9074`                                   |

config.toml

@@ -72,19 +72,22 @@ sessionSecret = "secret-session-key"
 # OpenID Connect Configuration
 #
 # Enable OIDC authentication
-#oidc_enabled = false
+#oidcEnabled = false
-
+#
 # OIDC Issuer URL (e.g. https://auth.example.com)
-#oidc_issuer = ""
+#oidcIssuer = ""
-
+#
 # OIDC Client ID
-#oidc_client_id = ""
+#oidcClientId = ""
-
+#
 # OIDC Client Secret
-#oidc_client_secret = ""
+#oidcClientSecret = ""
-
+#
 # OIDC Redirect URL (e.g. http://localhost:7474/api/auth/oidc/callback)
-#oidc_redirect_url = ""
+#oidcRedirectUrl = ""
+#
+# Disable Built In Login Form (only works when using external auth)
+#oidcDisableBuiltInLogin = false
 
 # Metrics
 #
@@ -93,11 +96,11 @@ sessionSecret = "secret-session-key"
 
 # Metrics server host
 #
-# metricsHost = "127.0.0.1"
+#metricsHost = "127.0.0.1"
 
 # Metrics server port
 #
-# metricsPort = "9074"
+#metricsPort = "9074"
 
 # Metrics basic auth
 #

internal/auth/oidc.go

@@ -26,6 +26,7 @@ type OIDCConfig struct {
 	ClientID            string
 	ClientSecret        string
 	RedirectURL         string
+	DisableBuiltInLogin bool
 	Scopes              []string
 }
 
@@ -129,6 +130,7 @@ func NewOIDCHandler(cfg *domain.Config, log zerolog.Logger) (*OIDCHandler, error
 			ClientID:            cfg.OIDCClientID,
 			ClientSecret:        cfg.OIDCClientSecret,
 			RedirectURL:         cfg.OIDCRedirectURL,
+			DisableBuiltInLogin: cfg.OIDCDisableBuiltInLogin,
 			Scopes:              scopes,
 		},
 		provider: provider,
@@ -285,24 +287,27 @@ type GetConfigResponse struct {
 	Enabled             bool   `json:"enabled"`
 	AuthorizationURL    string `json:"authorizationUrl"`
 	State               string `json:"state"`
+	DisableBuiltInLogin bool   `json:"disableBuiltInLogin"`
 }
 
 func (h *OIDCHandler) GetConfigResponse() GetConfigResponse {
 	if h == nil {
 		return GetConfigResponse{
 			Enabled:             false,
+			DisableBuiltInLogin: false,
 		}
 	}
 
 	state := generateRandomState()
 	authURL := h.oauthConfig.AuthCodeURL(state)
 
-	h.log.Debug().Bool("enabled", h.config.Enabled).Str("authorization_url", authURL).Str("state", state).Msg("returning OIDC config response")
+	h.log.Debug().Bool("enabled", h.config.Enabled).Str("authorization_url", authURL).Str("state", state).Bool("disable_built_in_login", h.config.DisableBuiltInLogin).Msg("returning OIDC config response")
 
 	return GetConfigResponse{
 		Enabled:             h.config.Enabled,
 		AuthorizationURL:    authURL,
 		State:               state,
+		DisableBuiltInLogin: h.config.DisableBuiltInLogin,
 	}
 }
 

internal/config/config.go

@@ -112,19 +112,22 @@ sessionSecret = "{{ .sessionSecret }}"
 # OpenID Connect Configuration
 #
 # Enable OIDC authentication
-#oidc_enabled = false
+#oidcEnabled = false
 #
 # OIDC Issuer URL (e.g. https://auth.example.com)
-#oidc_issuer = ""
+#oidcIssuer = ""
 #
 # OIDC Client ID
-#oidc_client_id = ""
+#oidcClientId = ""
 #
 # OIDC Client Secret
-#oidc_client_secret = ""
+#oidcClientSecret = ""
 #
 # OIDC Redirect URL (e.g. http://localhost:7474/api/auth/oidc/callback)
-#oidc_redirect_url = ""
+#oidcRedirectUrl = ""
+#
+# Disable Built In Login Form (only works when using external auth)
+#oidcDisableBuiltInLogin = false
 
 # Metrics
 #
@@ -432,6 +435,10 @@ func (c *AppConfig) loadFromEnv() {
 		c.Config.OIDCRedirectURL = v
 	}
 
+	if v := os.Getenv(prefix + "OIDC_DISABLE_BUILT_IN_LOGIN"); v != "" {
+		c.Config.OIDCDisableBuiltInLogin = strings.EqualFold(strings.ToLower(v), "true")
+	}
+
 	if v := os.Getenv(prefix + "METRICS_ENABLED"); v != "" {
 		c.Config.MetricsEnabled = strings.EqualFold(strings.ToLower(v), "true")
 	}

internal/domain/config.go

@@ -29,12 +29,13 @@ type Config struct {
 	ProfilingEnabled        bool   `toml:"profilingEnabled"`
 	ProfilingHost           string `toml:"profilingHost"`
 	ProfilingPort           int    `toml:"profilingPort"`
-	OIDCEnabled           bool   `mapstructure:"oidc_enabled"`
+	OIDCEnabled             bool   `toml:"oidcEnabled" mapstructure:"oidc_enabled"`
-	OIDCIssuer            string `mapstructure:"oidc_issuer"`
+	OIDCIssuer              string `toml:"oidcIssuer" mapstructure:"oidc_issuer"`
-	OIDCClientID          string `mapstructure:"oidc_client_id"`
+	OIDCClientID            string `toml:"oidcClientId" mapstructure:"oidc_client_id"`
-	OIDCClientSecret      string `mapstructure:"oidc_client_secret"`
+	OIDCClientSecret        string `toml:"oidcClientSecret" mapstructure:"oidc_client_secret"`
-	OIDCRedirectURL       string `mapstructure:"oidc_redirect_url"`
+	OIDCRedirectURL         string `toml:"oidcRedirectUrl" mapstructure:"oidc_redirect_url"`
-	OIDCScopes            string `mapstructure:"oidc_scopes"`
+	OIDCScopes              string `toml:"oidcScopes" mapstructure:"oidc_scopes"`
+	OIDCDisableBuiltInLogin bool   `toml:"oidcDisableBuiltInLogin" mapstructure:"disable_built_in_login"`
 	MetricsEnabled          bool   `toml:"metricsEnabled"`
 	MetricsHost             string `toml:"metricsHost"`
 	MetricsPort             int    `toml:"metricsPort"`

web/src/api/APIClient.ts

@@ -262,10 +262,10 @@ export const APIClient = {
       { body: req }),
     getOIDCConfig: async () => {
       try {
-        return await appClient.Get<{ enabled: boolean; authorizationUrl: string; state: string }>("api/auth/oidc/config");
+        return await appClient.Get<{ enabled: boolean; authorizationUrl: string; state: string; disableBuiltInLogin: boolean }>("api/auth/oidc/config");
       } catch (error: unknown) {
         if (error instanceof Error && error.message?.includes('404')) {
-          return { enabled: false, authorizationUrl: '', state: '' };
+          return { enabled: false, authorizationUrl: '', state: '', disableBuiltInLogin: false };
         }
         throw error;
       }

web/src/screens/auth/Login.tsx

@@ -140,10 +140,12 @@ export const Login = () => {
         </h2>
       </div>
 
+      {/* Wait for OIDC config to load before rendering any login forms */}
+      {typeof oidcConfig !== 'undefined' && (
         <div className="mt-10 sm:mx-auto sm:w-full sm:max-w-[480px]">
-        <div className={`px-6 ${!canOnboard ? 'py-12 bg-white dark:bg-gray-800 shadow sm:rounded-lg sm:px-12 border border-gray-150 dark:border-gray-775' : ''}`}>
+          <div className={`px-6 ${(!canOnboard && (!oidcConfig?.enabled || !oidcConfig?.disableBuiltInLogin)) ? 'py-12 bg-white dark:bg-gray-800 shadow sm:rounded-lg sm:px-12 border border-gray-150 dark:border-gray-775' : ''}`}>
-          {/* Only show regular login form if onboarding is not available */}
+            {/* Built-in login form */}
-          {!canOnboard && (
+            {!canOnboard && (!oidcConfig?.enabled || !oidcConfig?.disableBuiltInLogin) && (
               <>
                 <form onSubmit={handleSubmit(onSubmit)} className="space-y-6">
                   <TextInput<LoginFormFields>
@@ -202,9 +204,9 @@ export const Login = () => {
               </>
             )}
 
-          {/* OIDC login button */}
+            {/* OIDC button */}
             {oidcConfig?.enabled && (
-            <div className={!canOnboard ? 'mt-6' : ''}>
+              <div className={(!canOnboard && !oidcConfig?.disableBuiltInLogin) ? 'mt-6' : ''}>
                 <button
                   type="button"
                   onClick={handleOIDCLogin}
@@ -217,6 +219,7 @@ export const Login = () => {
             )}
           </div>
         </div>
+      )}
     </div>
   );
 };